F5 BIG-IP Phantom Cyber app
Problem this snippet solves:
At World Wide Technology, we are engaging with customers in their evaluation of Phantom and this video clip provides a demonstration of the playbooks and apps developed to ingest data through the REST API and then implement a firewall rule on a F5 BIG-IP appliance to block the source IP address identified in the artifact.
This video illustrates the app. https://youtu.be/1lktjQzVcQQ and this link provides additional background on the use case. https://blog.phantom.us/2016/03/31/community-magic/
The app imports (reuses) an Ansible module which uses the iControl REST interface. The Phantom app is available here.
How to use this snippet:
The app can be installed in Phantom and referenced in playbooks. This app supports containment actions like 'block ip' or 'unblock ip' on a F5 BIG-IP appliance. There must be a firewall policy (Security››Network Firewall:Policies) configured on the BIG-IP and the name of the policy must be specified in the Action Parameters.
Code :
https://github.com/joelwking/ansible-f5/blob/master/icontrol_install_config.py
Tested this on version:
11.6
7 Comments
BAGS_123349Nimbostratus
This is an outstanding solution. I give it 5 Stars!!!
jachbr214Great app!
Joe_Ploehn_2189Ansible makes this a very powerful app - great job!
Roger_White_218Nice work Joel.- shawnwat_276005Great work
brianborland_27Great Solution
matwagz_277128Great solution - I like the accompanying video and documentation!